I got credential stuffed.

Bad passwords from years ago will come back to bite you.

I work at the company that coined the term “credential stuffing” and I led the teams that built the world’s leading credential stuffing defense platform, but I got an account taken over because of a reused a password from 10 years ago.

(Helpful reading: What is credential stuffing?)

Like many people, at one point in my life I had only three passwords — one that I used for throwaway websites, one I used for sites where I used my credit cards, and one I used for the super-important sites like banks and email. I knew I wasn’t supposed to reuse passwords but I also don’t floss every day. It’s hard to change. Even after I started prioritizing unique passwords it still only started with the upper two classes of sites — common, throwaway accounts got the generic password because I just didn’t care about the content there and didn’t think it would matter.

Obviously I was wrong. I’m reformed but those practices will never be cleaned up fully.

Image courtesy of https://unsplash.com/photos/6eL_lMJDwjM

When Minecraft’s alpha was released nearly ten years ago, I bought it and registered an account. It was a nothing game that was obviously going to go nowhere but I was stuck at home due to an injury. I didn’t end up giving it all too much time because injuries heal and pre-alpha games aren’t often all that exciting.

Fast forward 6 or 7 years and I find myself with a son who loves video games. I revisited Minecraft because I had been very wrong about the game and every single person in the entire world knew of and liked Minecraft. Especially 6 year old people.

Unfortunately, though, I found out my account was no longer my account, it was DarkStar’s. I don’t know who DarkStar was but he was now me. I ended up being able to recover the account through Mojang’s support and found that the takeover had occurred years prior without me knowing. I wasn’t able to get any information on the activity during that time so any analysis of what might have been done is hard to do.

Now what’s the point of taking over a Minecraft account aside from getting a free game? It’s hard to tell without logs, DarkStar may have just been a person who purchased a cheap Minecraft account off eBay and thought he was getting a good deal. Maybe DarkStar attempted to phish people in-game or it could have been an attacker looking for accounts that had admin access to prominent servers. Minecraft servers are frequently targeted by attackers and held for ransom and, with sometimes thousands of hours put into Minecraft creations, it shouldn’t come as a surprise that people will pay good money to regain control of them.

All accounts are valuable, not just financial ones

The impact to me was not substantial (to my knowledge) and largely recoverable but credential stuffing as an attack vector is a problem that leads to thousands of different mutations of fraud. Gaming accounts are valuable for many reasons, even for those that don’t have in-game currency, because every account has stored trust associated with them. Anyone who had played with me would have no reason to suddenly distrust my in-game avatar and an attacker could leverage that trust in hundreds of ways.

There’s no account that isn’t worth its own password, the ways people can be exploited are vast and unpredictable. For some accounts there is clear and real damage that can be inflicted quickly, for some that pain is delayed for months or years as it gets stored in a criminal’s database, and for others the damage might be inflicted on friends, family, or complete strangers. Password reuse is a social problem that is causing real damage and requires greater public awareness if there’s any hope for change. Passwords themselves are around for the time being with no sign of going away in the next 5–10 years and the more technical among us have a responsibility to help the rest of us deal with them better. Better password management is the getting-people-off-of-Internet Explorer of the 2010s. There more information on how to help others in the post What is Credential Stuffing?

Thanks for reading and, as always, please reach out with questions or your own stories!